I recently ordered a RapidSSL SHA256 CA cert for one of my Zimbra servers. I had all sorts of trouble getting openssl to verify the complete SSL chain - intermediates, plus CA certs.
The RapidSSL docs provides a link to an SSL bundle here, however that alone is not sufficient to allow Openssl to completely verify the chain. I downloaded the bundle and put that into file
ca_chain.crt, then ran openssl verify but got this error:
# openssl verify -verbose -CAfile ca_chain.crt cert.pem cert: C = US, O = GeoTrust Inc., CN = GeoTrust Global CA error 2 at 2 depth lookup:unable to get issuer certificate
It turns out the bundle supplied by RapidSSL is only intermediates, and does not include the very top level cert. I didn’t realise this at first which caused a bit of confusion. I ended up stepping through each certificate to figure out where the missing link was. I did this by splitting out each cert into a separate file and running
openssl x509 -in <certfile> -text -noout and looking at the
Issuer: line to see which cert comes next in the chain, then checking that one in turn.
After that exercise I realised I was missing the top level certificate - ‘Equifax Secure Certificate Authority’:
# openssl x509 -in ca.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 1227750 (0x12bbe6) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority [...]
I found that here: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO28589
Once I appended that cert to my bundle file, verify then returned OK:
# openssl verify -CAfile ca_chain.crt cert cert: OK